Developing Business Focus in Security Initiatives
How should I as a security leader approach my role to support and develop a business focus in my security initiatives?
Security leaders are consistently told to "align security with the business." However, figuring how to do this successfully is often elusive. There can be many reasons, and the path is not always straightforward. When I work with clients to develop better business focus, there are three principal issues I look at:
The number one complaint I hear from security leaders is that they are in a continuous fire-fighting mode.
What motivates the business leaders - For commercial organizations (government agencies and non-profits may have different but similar motivators) this can be divided into three broad categories: financial, compliance and duty of care.
It is critical for the security leader to understand and convey risks in one of these categories. Too often, what is communicated is metrics on vulnerabilities, the number of incidents or other technical data with the expectations that executives can deduce business impact from these. These three executive motivators are often expressed in terms of strategic corporate risks and are frequently monitored by both executives and the board of directors. More on this later.
The successful security leader translates technical data into impacts related to one of the three business motivators, and the best way to do that is to realize technical metrics are only the starting point - we need to identify root causes. For example, instead of just tracking and reporting the number of vulnerabilities found during network scans, we need to ask why these vulnerabilities continually occur, and what does this mean in terms of finance, compliance or duty of care? Understanding root causes rather than symptoms is also critical in dealing with the second issue.
Tactical and fire-fighting versus proactive and strategic - The number one complaint I hear from security leaders is that they are in a continuous fire-fighting mode. Very often this is due in part to organizational issues, but it also is symptomatic of not identifying and dealing with the root causes of problems. When security leaders identify root causes, they find that the solutions more often involve people, process and organization rather than technical controls.
Business alignment - Many security practitioners believe alignment can be reduced to an (often fudged) ROI calculation - it's not. Business alignment is actually a rather complicated issue that again involves analysis of people, organization, process and policy. Nevertheless, there are a few common elements that a security leader should understand. In particular, there are two dimensions to business alignment: vertical and horizontal.
Vertical alignment is the traditional relationship between the security organization and senior executives and the board of directors. Every medium to large organization with an effective governance framework will identify, monitor and manage strategic risks to the business. It is the management of these risks (along with financial metrics) that senior executives are often held accountable for by the board of directors. Security leaders need to determine what these risks are and how they can affect some or all of these risks. Sometimes, executives feel these risks are sensitive information. However, if your organization is a publicly traded company, its 10-K filing will probably provide information on these and other identified business risks. Every security professional of a publicly traded company should read and understand the non-financial information in their company's Form 10-K (20-F for foreign companies and 40-F for Canadian companies).
Horizontal alignment relates to the common risk factors shared with the other organizational functions such as human resources, legal (general council), audit, physical security, IT, etc. There is tremendous overlap of threats and risks between these parties. An example of growing importance is management of electronic discovery between IT and legal. Another is the move to digital and IP-based physical security controls. Security leaders need to identify these common risk elements, their impact to the business and work collaboratively with the other function's business leaders to manage these risks jointly. This is what I call security convergence. These two dimensions need to be balanced and reinforce each other.
Developing an effective business focus for security is not easy - it is more complicated than most security practitioners realize. It requires good political and organizational skills, as well as the ability to identify strategic risk factors and prioritize and effectively communicate them.
Isn't that what makes any good leader?
Kent Anderson, founder and managing director of Encurve LLC, is considered a leading authority on security, with more than 22 years of experience in the field. He has held positions as SVP of IT Security and Investigations with an international business risk consultancy, as Director in the Dispute Analysis & Investigations group of PricewaterhouseCoopers, and as the European Information Security Manager for Digital Equipment Corp.